Nat or Router vs ASA

sushil · ‎05-07-2010

Hi,

What would be the best place to nat in a network.

Router or ASA?

Router would be terminating the ISP connection and then ASA in place.

As ASA doesn't have the option of PBR.Is it would be better to have it on Router.

On the other hand Wanted to run IPSEC on ASA,but how would remote users or Remote peer see this if it is sitting behind a natted router?

Is it to be done based out of deliverable or is there any thumb rule to this.

Curious to know if router can be used instead of ASA for Nat?

What are pros and cons using this?

Reg,

Sushil

Federico Coto Fajardo · ‎05-07-2010

Hi Sushil,

You can use either the ASA or router for NAT.

I prefer doing NAT on the ASA.

Normally, you decide to do NAT on the device that has the public IP assigned.

If in this case, the router is having the public IP, I say NAT on the router.

The IPsec VPN clients still can connect to the ASA if you create a STATIC NAT translation to redirect VPN traffic to the ASA.

So, the VPN clients will actually connect to the public IP of the router, which will redirect the connection to the ASA.

If on the other hand, the ASA also has a public IP, so NAT on the ASA and terminate the VPNs on that IP.

Either way, you can't go wrong, as long as the equipment that you have support the amount of traffic and connections.

Federico.

Panos Kampanakis · ‎05-07-2010

I would prefer to use an ASA for the translations as they are designed and more efficient for it.

Routers can still do it as already suggested.

PK